GDPR, which stands for General Data Protection Regulation, is a comprehensive European data privacy and security law that went into effect on May 25, 2018. It is considered one of the strongest data privacy and security laws in the world.
The GDPR is designed to protect the personal data of citizens or residents of the EU/EEA, known as “data subjects”. It affects any organization that stores or processes their data, even if it does not have a business presence in the EU/EEA.
Under the GDPR, personal data refers to any information that can directly or indirectly identify an individual. This can include their name, email address, identification number, location data, IP address or any other information specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
It’s important to note that any information that can be linked to an individual, even if it doesn’t directly identify them, is still considered personal data under the GDPR.
Protecting personal data is a top priority for GamaLearn. We recognise the importance of GDPR compliance and are committed to keeping up with new developments. Our goal is to ensure that we meet all legal requirements, and maintain the trust of our customers and stakeholders through a proactive approach to data protection.
GamaLearn has taken several steps to ensure compliance with GDPR. Here are some of the actions we have taken:
Developing the necessary documentation, or making the necessary changes to existing ones, to ensure compliance with GDPR requirements. This includes policies, procedures or other documents that help us protect personal data and respond to data subject requests.
Establishing a public GDPR compliance page on our website, to provide transparent information to our customers and other stakeholders. This page includes detailed information about our GDPR compliance efforts, as well as links to relevant resources.
Revising our privacy policy and cookie policy to ensure they meet GDPR requirements and provide clear and transparent information about how we collect, process, and protect personal data.
Providing our personnel with comprehensive information about the GDPR regulations. We have ensured that all our employees and contractors are aware of their responsibilities under GDPR, and understand how to handle personal data appropriately.
Assessing our sub-processors to ensure they are also GDPR compliant. We have a rigorous vendor management process in place to verify that all third-party service providers who process personal data on our behalf meet our high standards for data protection and security.
Creating a Data Processing Addendum based on Standard Contractual Clauses. This DPA helps us to ensure that all our data processing activities are compliant with the legal requirements and provide an adequate level of protection for personal data.
Developing an incident response policy to manage any security incidents that may occur. We have put in place a comprehensive incident response plan that outlines the steps we will take to detect, investigate and respond to data breaches or other security incidents that may affect personal data.
Want to know more? Click Here
The GDPR defines two key roles in relation to personal data: data controller and data processor.
A data controller determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of the controller.
GamaLearn acts as a data processor when handling the personal data of third parties on behalf of its clients. For example, when GamaLearn’s SwiftAssess services are used to grade student tests, GamaLearn acts as a data processor.
Conversely, GamaLearn’s clients are in most cases considered to be data controllers, as they dictate how GamaLearn processes personal data.
2.1. What is the right to erasure or the right to be forgotten?
The right to erasure, also known as the right to be forgotten, is a fundamental right under the GDPR that allows individuals (also known as “data subjects”) to request the deletion or removal of their personal data.
2.2. What is the scope of the right to be forgotten?
Data subjects have the right to request the deletion of their personal data, and the controllers that process the data have an obligation to delete it “without undue delay” in a certain number of circumstances indicated in the GDPR.
2.3. When do data subjects have the right to be forgotten?
Under Article 17 of the GDPR, individuals have the right to request that their personal data be erased, and the controller must comply.
There are several conditions for erasure, such as when the data is no longer needed for its original purpose or when the individual withdraws consent. In addition, erasure is also required when the data has been processed unlawfully or when there is a legal obligation to delete the data.
2.4. Are there any exemptions to the right to be forgotten?
It is important to note that the right to be forgotten, as defined by the GDPR, is not absolute. While individuals have the right to request the deletion of their personal data, there are circumstances where data retention is legally required. For example, where there is a legal obligation to retain the data, or where the data is necessary for legal claims, public health interests or scientific research purposes.
2.5. How can GamaLearn help its clients with requests to delete personal data?
When GamaLearn acts as a data processor, such as when it provides its SwiftAssess services to clients to process the personal data of third parties, it is obliged to assist the data controller in managing requests for the right to be forgotten.
The extent of assistance may vary depending on the nature of the processing and the activity entrusted. Sometimes GamaLearn can assist by promptly forwarding any request received, while in other situations, more specialized technical assistance may be required.
2.6. How can a data subject exercise the right to be forgotten?
To exercise their right to be forgotten, a data subject may contact the data controller (i.e. GamaLearn’s clients) directly or submit a request through the available channels provided on GamaLearn’s website.
Where GamaLearn acts as a data processor, it will promptly forward any request from a data subject to the relevant data controller, while providing the necessary assistance to ensure compliance with its instructions.
2.7. How long will it take to process a data subject’s request?
The time taken to process a request from a data subject will depend on the complexity of the request and the amount of data involved. Typically, data controllers should respond within one month of receiving the request.
Upon receipt, GamaLearn will forward the request to the data controller and await their instructions regarding the deletion of personal data. GamaLearn will not respond directly to the request unless authorised to do so by the client.
2.8. Recommendations to comply with the request to be forgotten under GDPR
To comply with the right to be forgotten under the GDPR, GamaLearn’s clients can take several steps.
Firstly, they should ensure that they have a clear policy for handling requests under the right to be forgotten.
Secondly, they should provide a simple and accessible way for data subjects to submit their requests, such as an online form or email address.
Thirdly, they should verify the identity of the requester and confirm the scope of the request to avoid misunderstandings.
Fourthly, they should promptly forward the request to the appropriate data controller if they are acting as a data processor.
Finally, they should comply with the data subject’s request to be forgotten within one month from receipt of the request. If necessary, this period may be extended by two further months taking into account the complexity and the number of requests.
As a data processor, GamaLearn will assist the data controller in fulfilling the requests for the right to be forgotten. If needed, we’ll facilitate the deletion of the data subject’s personal data from SwiftAssess as instructed by the data controller.
3.1. What are automated decision-making and profiling?
Automated decision making refers to decisions made solely by software without human intervention, while profiling refers to the use of algorithms to predict the behaviour of a data subject based on their characteristics and actions.
Automated decision making may be permitted if appropriate safeguards are in place and if permitted by law.
3.2. What is the scope of the right not to be subject to a decision based solely on automated processing?
The GDPR protects the right not to be subject to automated decision making, including profiling. This means that data subjects can object to decisions made solely by algorithms or other automated systems, which have legal or similarly significant consequences. However, decisions made with human input or that have minimal impact on legal rights may not fall under this right.
3.3. Are there any exemptions?
In some cases, data subjects may not have the right to object to automated decision making, including profiling. This includes situations where automated processing is necessary for a contract, required by law, or consented to by the data subject.
However, the GDPR still requires that individuals be informed about the use of automated processing and their right to object, whenever possible.
3.4. How can GamaLearn help its clients with requests not to be subject to automated decision-making?
As a data processor, GamaLearn assists its clients, who are data controllers, in handling requests related to the right to object to automated decision making.
If a request is made, GamaLearn will facilitate the necessary procedures to allow data subjects to provide their input and receive information about the decision making process. This may include reviewing the decision, providing explanations and offering the opportunity to appeal.
For example, a student who objects to an automated admissions decision made using GamaLearn’s SwiftAssess platform may request human intervention and appeal the decision through GamaLearn or the school. GamaLearn will work with the school to address the request and provide additional information as necessary.
3.5. How can a data subject exercise the right not to be subject to automated decision-making?
To exercise their right to be forgotten, a data subject may contact the data controller (i.e. GamaLearn’s clients) directly or submit a request through the available channels provided on GamaLearn’s website.
In case GamaLearn receives a request from a data subject, the company will promptly forward it to the responsible data controller and provide any necessary assistance in responding to the request according to the instructions of the data controller.
3.6. How long will it take to process the data subject’s request?
The time required to process a request from a data subject will depend on the complexity of the request and the amount of personal data involved.
However, as a general rule, the data controller should process the request without undue delay and, in any event, within one month of receipt of the request.
3.7. Recommendations to comply with the request not to be subject to automated decision-making
Firstly, data controllers should implement specific data minimization measures, such as clear retention periods for profiles and personal data used to create or apply the profiles.
Secondly, they should use anonymization or pseudonymization techniques when profiling.
Thirdly, data subjects should be given the opportunity to express their views and contest the decision.
Finally, a mechanism for human intervention should be provided in defined cases, such as a link to an appeals process at the point of automated decision delivery, with agreed timelines for review and a named contact point for any queries.
Take control of your personal data. Our Data Subject Request Form allows you to assert your rights under data protection laws. Submit a request for access, rectification, deletion, or other data-related matters. We prioritize the security and confidentiality of your information throughout the process. Start the journey towards data empowerment by completing the simple form below.
We have prepared a standard Data Protection Agreement that covers our general data processing practices and compliance measures. By using our services, you agree to be bound by this DPA. The standard DPA Draft is available here. If you need a customized signed/stamped version of the DPA, please send an email to org.dpo@gamalearn.com with your contact information. Our team will review your request and work with you to create a customized DPA that aligns with your needs.
